Load balancing

From securityrouter.org, an OpenBSD-based firewall
Revision as of 15:42, 1 February 2012 by Anders (talk | contribs)
Jump to: navigation, search

The load balancer can dynamically redirect and route traffic. It can operate as

  • Load balancer
  • Application layer gateway
  • SSL accelerator
  • Transparent proxy
  • Internet failover

Currently, no graphical interface in the web administration exists. In the meantime, please use the plain-text configuration editor.

HTTPS (SSL) acceleration

This very simple example provides an HTTPS accelerator. If you are using the 64-bit version (amd64) on a router with AES-NI instructions, you can expect gigabit performance. Below is a more or less complete example, using the router exclusively as a layer 7 load balancer, utilizing only one Ethernet interface.

interface em0 {
	address 192.168.0.100/24
	route default 192.168.0.1
}
load-balancer {
	table <servers> { 192.168.0.101 192.168.0.102 }
	relay "webservers" {
		listen on 192.168.0.100 port 443 ssl
		forward to <servers> port 80 mode loadbalance check tcp
	}
}
system {
	http-server {
		port 4433
	}
	authentication {
		root-password "exremelyhardpassword"
		user "admin" {
			password "veryhardpassword"
		}
	}
	dns {
		name-server 8.8.8.8
	}
}

Then, upload the certificate and private key. Currently, these are not in the configuration file. Instead, enable root access (already enabled by the above example) and upload the file using for example sep according to the skeleton files guidelines. You can also try out the load balancer by using the web administration's self-signed certificate, by issuing the following commands when logged in as root:

# cp /etc/ssl/server.crt /etc/ssl/192.168.0.100.crt
# cp /etc/ssl/private/server.key /etc/ssl/private/192.168.0.100.key

Internet failover